[Cryptography] Bitcoin theft and the future of cryptocurrencies

[John Newman]

On Mon, Dec 25, 2017 at 07:45:47PM -0500, grarpamp wrote:
> > https://www.reddit.com/r/DarkNetMarkets/comments/5cb74u/blockchain_analysis_and_antimoney_laundering/
> >
> > (Unfortunately the original text of the above post has been deleted. I've
> > been looking for an archived copy but haven't found one yet. Suffice to say,
> > it showed that as of 2016 law enforcement already had off-the-shelf software
> > capable of deanonymizing coinjoin'd transactions.)
> 
> Nothing really new here that wasn't understood by
> blockchain tech community in early days...
> 
> ==========
> https://www.reddit.com/r/DarkNetMarkets/comments/5cb74u/blockchain_analysis_and_antimoney_laundering/
> Blockchain Analysis and Anti-Money Laundering (X-post from /r/DarknetmarketsOz)
> submitted 20161110T233518 by Realitybytes_
> http://archive.is/zLPcs
> 
> As promised many months ago, I have attended my first CP session on
> AML/CTF for cryptocurrency and I am now in a position to discuss at a
> high level what the current state of play is.
> While AML issues have not been touched on in this course yet
> (strategies and counter strategies will be discussed in session 2), I
> felt some of these issues are too important to wait for a better write
> up post this time and the overall method they are using to undertake
> AML analysis is now exceptionally clear.
> I note some of the technology demonstrated to us in these sessions is
> very new (been in use for less than 90 days) and from what we are
> being shown, it's powerful enough that some significant steps may need
> to be taken in the future to avoid being tagged, I will address this
> after outlining what is being demonstrated to us.
> ────────
> The current state of play
> Not much surprise too many of you who are concerned with significant
> opsec, however banks have been indiscriminately flagging every
> transaction related to bitcoin purchases and sales for quite some
> time, I even raised in this my previous post on AML/CTF.
> When I raised this previously, I assumed it was just regular AML/CFT
> controls, however I was wrong, this information has been used in a
> project I was not privy too, and this data from the banks I have
> worked with (in Australia) has been consolidated with many banks
> within the 5 eyes and provided to a data science corporate (Palantir)
> to conduct large scale inference matching alongside the distributed
> ledger.
> From what was demonstrated, this software basically matches up all
> transactions that show funds being flowed into the block chain (via
> banks, credit cards and KYC/verified website sites) and matches this
> information up to begin building out a map of who wallets relate to.
> The software is currently being developed to undertake profile
> matching (albeit this is only in a preliminary stage) so if you have
> sent funds to the same wallet from a different wallet, it will link
> them to the owner again (this is still inherently inaccurate).
> ────────
> What this means for buyers
> The systems in place seem heavily predecated around buyers not vendors
> which I found surprising, with the early reports showing that in as
> few as 2 transactions matched between the block chain distributed
> ledger and bank accounts de-anonymising wallets which is undertaken
> using information relating to a weight price of bitcoin (with
> tolerances) and the tracking of the specific value of bitcoins being
> sent, due to the finite nature of bitcoin transactions flowing from
> bank accounts to wallets this is already being tracked in real time.
> From our conversations (and inherent alarm of this in the audience,
> leading to the conclusion there are plenty of my peers buying from
> markets) as far as we have ascertained, this data is not yet being
> used for any purpose aside from mass de-anonymising users, which leads
> my peers and me to believe that the movement of funds alone cannot be
> used for raising charges, this does raise other concerns at an
> administrative level, as it is likely this data could be shared
> between government bodies to authorise a "probable cause" warrant on
> mail and houses.
> I can also confirm that this software was used in the most recent
> police sting in New Zealand, adding weight to the conclusion that
> judges are comfortable signing warrants on this information.
> If you have always undertaken cash purchases of LBC, avoided KYC
> requirements and never cashed out bitcoins, you are likely still
> anonymous.
> ────────
> What this means for vendors
> As detailed above, as the software undertakes bank and transaction
> matching to wallets as long as they have never directly cashed out
> money from a wallet to their bank, they should still be safe.
> This section will likely be expanded on post session two when we
> address AML concerns.
> ────────
> Tumblers are useless
> Against my better judgement, I’m going with this click bait heading,
> but the premise is correct.
> Due to the software running real time analysis on the ledger, simply
> avoiding taint and breaking up coins is now entirely ineffective, as
> it matches the full bitcoin amount to be received over a period of
> time, as the software is built around a neural net of sorts (talking
> out of school here, I’m not a programmer) it appears to self-correct
> in real time as a more "likely" or "accurate" owner conclusion is
> reached.
> ────────
> Frequently asked questions
> These are the questions asked in the audience and their response (not
> mine; I have no opinion either way).
> How quickly can it de- anonymise a user? If the user has sent coins
> from a KYC verified organisation, the wallets sent through will be
> de-anonymised in real time, otherwise it will assign a unique primary
> key to the wallet once it has been identified as unique and it will
> flag all wallets believe to be owned by this user.
> Who is this data currently being shared with? The information is
> available to all major international anti-crime organisations; however
> at this time the  analysis has been undertaken for Australia, New
> Zealand, America, Canada and the United Kingdom.
> How will this impact other cryptocurrencies? The overall process it
> determined to be identical, if there is a block chain to be analysed
> and a trade of cash to these coins it is anticipated we will continue
> to de-anonymise wallets.
> How will this to used to combat the drug trade? The software will
> inherently flag dealer wallets in the same process it flags
> purchasers; however as the overall end result between buyers and
> sellers is the opposite this information will be used to assist law
> enforcement to identify volume of sales based on turnover.
>  - Are we legally allowed to utilise this information? As
> cryptocurrencies are determined to be an asset not a currency, the
> existing laws allow this to be  monitored similar to that of any
> asset.
> What about monero? We believe due to the low adoption rate difficult
> in obtaining coins and converting into cash that monero adoption will
> continue to be low, similar to that of any alternative cryptocurrency.
> ────────
> What measures should now become the default
> Under no circumstance should you be purchasing bitcoins from any KYC
> verified organisation, and banks should be avoided.
> Purchasing in cash is now the default.
>  - Wallets should be changed regularly, at a "on a per transaction"
> basis is possible.
> Everyone should send bitcoins in rounded amounts from 0.25 to 1.0,
> this would destroy the entire matching algorithm, if we all just send
> coins in amounts of 1.0 it would be impossible to ascertain users if
> we avoided KYC.
>  - All bitcoin movements should be undertaken via a non-domestic VPN or TOR
> ────────
> Apologies if this article seems like a doom and gloom speech, I am
> actually surprised as to how well developed this process is.
> I got to play with the software for a few minutes and I was surprised
> to see it new I purchased bitcoins and what my wallet was (fortunately
> for me, there was no solid line to a market).
> If you have any questions, please let me know, I will do another
> follow up post my session two, however this is booked in for February,
> so in the meantime stay safe and stay anonymous.
> 
> ==========


Interesting. I always bought coins directly from a guy who was happy
to take my money, at a cost to me only slightly above TX fee, and
send coin straight to my wallet(s). The whole concept of the KYC
requirements of all the major online exchange sites seemed both
antithetical to BTC and dangerous. I was always wary of tumbling
the coins for anonymity, and stopped screwing around with it when
I lost easy access to my point of contact that would do direct coin
for cash...

In any case, its been going on a couple years since I did anything
at all with BTC. I do wish I had held on to some of the coins I
went through, with the current prices (*bleh!*).

-- 
GPG fingerprint: 17FD 615A D20D AFE8 B3E4  C9D2 E324 20BE D47A 78C7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20171226/76eef504/attachment-0002.sig>